The present invention relates to providing controlled access to data and/or software processes in a distributed environment. It finds particular application in database security.
In the past, users have been able to run software applications from their terminals, for instance by accessing the application software on an applications server. The application itself may be downloaded to the user terminal, or just a suitable front end for the application may be downloaded, such as forms and selection buttons, the application remaining on the remote server. An application accessed by a user may then give the user access to other software processes, or to data stored in a database.
In a distributed environment, the application or database may be installed on a site remote to the user, across one or more networks. To run the application or access the database, the user needs routing (or xe2x80x9cconnectxe2x80x9d) information of some sort, such as a network address. If the user wants to access a database directly, they need connect information for the database. If the user wants to run an application and the application is simply a front end to a database, the connect information the user needs is effectively, again, connect information for the database itself. Where the user can get connect information to a database, there is a potential weakness in access control.
Access control arises where there is a requirement for access restrictions to an application or database, for instance such that it can be used by subscribers only. Alternatively, it may be that some users can use all the functionality available while other users are barred from some functionality, for instance because of rank or job description. This situation would arise where account staff need both read and write access to a company""s accounts databases but staff elsewhere in the company might be limited to read access only, and to accessing data relating only to themselves.
(A user""s terminal will usually these days be a personal computer. However, it could equally have little or no processing capacity of its own, instead having access to processing capacity elsewhere. The use of the word xe2x80x9cterminalxe2x80x9d herein should not be taken as an indication of the capabilities of the user equipment. It is simply used to refer to the piece of equipment the user has access to for making inputs.)
In order to provide a security check, it is known to write an authentication process into an application, or database front end, so that it will only run when a valid identity code (ID) and a password have been entered by the user. The application or front end may also have for instance a stored set of xe2x80x9cuser profilesxe2x80x9d which allow it to tailor the capabilities it offers to a user to a limited set of capabilities for which the user is specifically registered.
As mentioned above, a problem can occur where a user can get connect information for a database, such as a network address. The user might have the connect information legitimately, because they have at least limited rights to access the database directly. Alternatively, the user might have legitimate rights to run an application within their own environment which gives access to a remote database and the application may store the network address for the database within the user""s environment. A technically expert user may then be able to extract the connect information for the database for instance because they know where in their environment the connect information is stored.
However the user gets connect information to a database, the problem is that the user can then potentially bypass the application or front end which would normally restrict the data they can view in the database. For instance, the user could access the database using a different application, or tool, particularly one which does not restrict that user. All the user has to do is give the substitute application or tool the connect information for the database.
According to embodiments of the present invention, there is provided a security system for controlling access to data and/or one or more software processes, which security system comprises:
i) input means for receiving user identification data from a user station;
ii) means for authenticating received user identification data;
iii) first data storage means for storing access restriction information in relation to the data and/or software process(es);
iv) second data storage means for storing connect information for the data and/or software process(es);
v) input means for receiving an identifier for selected data or software process(es);
vi) translation means for translating a received identifier to connect information for locating the selected data or software process(es), using the second data storage means;
vii) connection setup means for setting up a connection for providing access from the user station to the selected data or software process(es), using a translated identifier; and
viii) disconnect means for disconnecting a link between the security system and the user station once said connection has been set up between the user station and the selected data or software process(es).
The term xe2x80x9cuser stationxe2x80x9d as used herein comprises the user""s local environment; that is at least the user""s terminal and potentially also the user""s local server. In general, the user station will comprise a platform on which the user""s local processes run. This could be for instance a personal computer alone, or a dumb terminal plus other platforms, potentially network-based.
Preferably, the connection setup means comprises means for transmitting connect information (a translated identifier) via the user station to the selected database or software process. Preferably also, the connection setup means comprises encryption means for encrypting the connect information prior to transmission.
A security system according to an embodiment of the present invention constitutes a functional layer between a user station and one or more databases and/or software processes, such as a set of applications. If connect information for the database(s) and/or process(es) is stored at the security system and need only be transmitted through the user station, at runtime, for the purpose of finding a selected database and/or software process, the user cannot get at the connect information except via the security system. Without the connect information, the user cannot simply substitute unrestricted tools for a restricted software application and so gain access to data for which they are not authorised and the security system will block the user from getting the connect information.
In particular, the connect information for a selected database or software process never has to be stored at the user station, even to establish connection to it. This significantly improves security against hacking.
Although the connection information is transmitted through the user station in setting up the connection, it is preferably transmitted in encrypted form.
Once the user station is connected to a selected database or process, the security system can drop out, using the disconnect means, and thus be available. Preferably, the security system will accept a fresh input from a user station which has already established connection to a database or process using the security system. It is possible then for one user station to run multiple applications concurrently, for instance potentially displaying the results of running different tools with the same set of data in different windows on screen, simultaneously.
Preferably, the security system comprises at least two parts, each part being provided with authentication means, a first of said two parts comprising i) and ii) above and further comprising:
ix) substitute login means to disconnect a connection between the first part and a user station and to trigger reconnection of the user station to the second of said two parts; and
x) data storage for identification data for use by the authentication means of the second part,
wherein the substitute login means has access to the data storage for identification data and is arranged to supply identification data from that data storage for use in said reconnection.
The substitute login means provides an additional defence to hacking since the user never has knowledge of the identification data, for instance ID and password, which has given them access to the second part of the security system. Preferably, it is the second of the two parts which comprises iii) to vii) above. Hence the user can only get access to the selected database or software process via the second part of the security system and they never have knowledge of the identification data for that second part.
Preferably, the security system further comprises an access information store and means for outputting to a user station at least one encrypted data file, said encrypted data file comprising access information in respect of a selected database or software process. The access information contained in an encrypted data file may be determined at least in part by the user identification data received at the input means. This allows a selected database or software process to read the access rights relevant to a user at runtime, at the user station, without the security system having to remain involved. It also enhances security as discussed below.
It is known for a user to have a user profile for a database or software process. The user profile is allocated to the user and holds access information (defines the access rights) for that user in respect of a database or software process. User profiles might be stored with the database or software process and the user identification data, which the individual user knew and entered, is used by the database or software process to select and apply the relevant user profile. This suffers from the problem that there has to be a profile for every user. This can take up significant storage space.
In embodiments of the present invention, the access information store holds identifiers for data sets, or selections of functionality. It does not hold user profiles. When a user first enters an ID and password, the substitute login means can substitute, unknown to the user, effectively an identifier for a data set or selection of functionality which is then sent as the encrypted data file to the user station. Several users may share access rights to the same data set or selection of functionality and a representation of those access rights need only be stored once for all such users.
Preferably, selectable databases and software processes reside on platform equipment separate from that of the security system and the security system comprises the means to log the user on with respect to a selected software process by substituting a third set of identification data which is transmitted via the user terminal to the platform equipment but which is never stored at the user terminal. Preferably this third set is encrypted prior to transmission. The use of a third set of identification data, both unknown to the user and never stored at the user station, provides further security.